Tell HN: Don't Install BaseShield App Store

12 points by arjungmenon ↗ HN
Many of you might have heard about the BaseShield App Store (http://news.ycombinator.com/item?id=376676).

I recently installed it on my Windows laptop. During installation it accessed and modified the memory of processes associated with the security suite I had. (Symantec Endpoint Protection).

It claims on its website to be More than malware-free. The installer binary for Windows is from a company called "Secure By Design".

Then why does it access files on my PC, that has nothing to do with it? (that too, reading and writing into the memory of processes associated with my security suite).

When I tried uninstalling the program, it took a long time; told me to restart my computer to finsih un-installation; then produced an error message saying that some files could not removed.

I have a strong feeling that this app is nothing more than an elaborate piece of malware. I strongly encourage everyone to abstain from installing BaseShield App Store on your computers.

8 comments

[ 2.9 ms ] story [ 34.7 ms ] thread
Here is Symantec Endpoint Protection's log of the tampering done by BaseShield App Store.

Date and Time,Computer,User,Action Taken,Object Type,Event,Actor,Target,Target Process 11/28/2008 9:27:14 PM,ARJUN-LAPTOP,SYSTEM,Logged,Memory,Free,C:\Windows\system32\BaseShield\BaseShield\SecProxy.exe (PID 1984),C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (PID 3536, terminal session 1),C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (PID 3536, terminal session 1) 11/28/2008 9:27:13 PM,ARJUN-LAPTOP,SYSTEM,Logged,Thread,Resume,C:\Windows\system32\BaseShield\BaseShield\SecProxy.exe (PID 1984),C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (PID 3536, terminal session 1),C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (PID 3536, terminal session 1) 11/28/2008 9:27:13 PM,ARJUN-LAPTOP,SYSTEM,Logged,Memory,Write,C:\Windows\system32\BaseShield\BaseShield\SecProxy.exe (PID 1984),C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (PID 3536, terminal session 1),C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (PID 3536, terminal session 1) 11/28/2008 9:27:13 PM,ARJUN-LAPTOP,SYSTEM,Logged,Memory,Allocation,C:\Windows\system32\BaseShield\BaseShield\SecProxy.exe (PID 1984),C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (PID 3536, terminal session 1),C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (PID 3536, terminal session 1) 11/28/2008 9:27:13 PM,ARJUN-LAPTOP,SYSTEM,Logged,Memory,Free,C:\Windows\system32\BaseShield\BaseShield\SecProxy.exe (PID 2272),C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (PID 3700),C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (PID 3700) 11/28/2008 9:27:13 PM,ARJUN-LAPTOP,SYSTEM,Logged,Thread,Resume,C:\Windows\system32\BaseShield\BaseShield\SecProxy.exe (PID 2272),C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (PID 3700),C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (PID 3700) 11/28/2008 9:27:13 PM,ARJUN-LAPTOP,SYSTEM,Logged,Memory,Write,C:\Windows\system32\BaseShield\BaseShield\SecProxy.exe (PID 2272),C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (PID 3700),C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (PID 3700) 11/28/2008 9:27:13 PM,ARJUN-LAPTOP,SYSTEM,Logged,Memory,Allocation,C:\Windows\system32\BaseShield\BaseShield\SecProxy.exe (PID 2272),C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (PID 3700),C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (PID 3700) 11/28/2008 9:27:12 PM,ARJUN-LAPTOP,Administrator,Logged,Memory,Free,C:\Windows\system32\BaseShield\BaseShield\SecProxy.exe (PID 596),C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (PID 3528),C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (PID 3528) 11/28/2008 9:27:11 PM,ARJUN-LAPTOP,SYSTEM,Logged,Thread,Resume,C:\Windows\system32\BaseShield\BaseShield\SecProxy.exe (PID 596),C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (PID 3528),C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (PID 3528) 11/28/2008 9:27:11 PM,ARJUN-LAPTOP,SYSTEM,Logged,Memory,Write,C:\Windows\system32\BaseShield\BaseShield\SecProxy.exe (PID 596),C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (PID 3528),C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (PID 3528) 11/28/2008 9:27:11 PM,ARJUN-LAPTOP,SYSTEM,Logged,Memory,Allocation,C:\Windows\system32\BaseShield\BaseShield\SecProxy.exe (PID 596),C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (PID 3528),C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (PID 3528) 11/28/2008 9:27:11 PM,ARJUN-LAPTOP,SYSTEM,Logged,Memory,Free,C:\Windows\system32\BaseShield\BaseShield\SecProxy.exe (PID 2004),C:\Program Files\Common Files\Symantec Shared\ccApp.exe (PID 1268, terminal session 1),C:\Program Files\Common Files\Symantec Shared\ccApp.exe (PID 1268, terminal session 1) 11/28/2008 9:27:10 PM,ARJUN-LAPTOP,SYSTEM,Logged,Thread,Resume,C:\W...

This is a really hard to decipher blob of text. Care to point out some examples of offending entries and interpret what they mean?
Yup. Here's the essence of the log file:

SecProxy.exe from BaseShield App Store.(C:\Windows\system32\BaseShield\BaseShield\SecProxy.exe) performed operations on the following processes belonging to Symantec Endpoint Protection:

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

The operations it performed include "Memory Free", "Thread Resume", "Memory Write", "Memory Allocation".

I don't know why any app, let alone BaseShield would have to access and modify the memory of a program totally unrelated to it.

Wasn't BaseShield funded in part from YCombinator - can we get some more information from the original team on this ?
Hi, this is Sascha from BaseShield.

Sorry about this confusion, such messages can be worrying, but let me assure you that BaseShield is not doing anything malicious here. Symantec Endpoint Security is reporting some activity that is in fact happening but is not malicious. To achieve its high level of sandbox security, BaseShield in some cases loads dlls into other processes. This is a common technique that is natively supported by the Windows API and is in itself perfectly safe. We will investigate how this can be avoided and try to make sure BaseShield does not trigger these warnings with this product.

Again, apologies for the inconvenience. Please contact me directly at sascha (at) baseshield.com if you have any questions about this.

UPDATE: Symantec Endpoint Protection appears to be prone to showing false alerts. This not only affects BaseShield but also other products, including Microsoft Virtual PC.

https://forums.symantec.com/syment/board/message?board.id=en...

https://forums.symantec.com/syment/board/message?board.id=en...

https://forums.symantec.com/syment/board/message?board.id=en...

"I have a strong feeling that this app is nothing more than an elaborate piece of malware."

Baseshield is funded by YC. They're perfectly legit.